OSCAL Plan of Action and Milestones (POA&M) 1.1.2 (SchemaStore) JSON Schema

json-schema-directive string

A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.

oscal-poam-oscal-poam:plan-of-action-and-milestones object

A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

metadata assembly_oscal-metadata_metadata required

poam-items assembly_oscal-poam_poam-item[] required

minItems=1

import-ssp assembly_oscal-assessment-common_import-ssp

system-id field_oscal-implementation-common_system-id

local-definitions assembly_oscal-poam_local-definitions

observations assembly_oscal-assessment-common_observation[]

minItems=1

risks assembly_oscal-assessment-common_risk[]

minItems=1

findings assembly_oscal-assessment-common_finding[]

minItems=1

back-matter assembly_oscal-metadata_back-matter

oscal-poam-oscal-poam:local-definitions object

Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.

components assembly_oscal-implementation-common_system-component[]

minItems=1

inventory-items assembly_oscal-implementation-common_inventory-item[]

minItems=1

assessment-assets assembly_oscal-assessment-common_assessment-assets

remarks field_oscal-metadata_remarks

oscal-poam-oscal-poam:poam-item object

Describes an individual POA&M item.

title string required

The title or name for this POA&M item .

description string required

A human-readable description of POA&M item.

uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

origins object[]

minItems=1

related-findings object[]

minItems=1

related-observations object[]

minItems=1

related-risks object[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-metadata:metadata object

Provides information about the containing document, and defines concepts that are shared across the document.

title string required

A name given to the document, which may be used by a tool for display and navigation.

last-modified field_oscal-metadata_last-modified required

version field_oscal-metadata_version required

oscal-version field_oscal-metadata_oscal-version required

published field_oscal-metadata_published

revisions object[]

minItems=1

document-ids field_oscal-metadata_document-id[]

minItems=1

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

roles object[]

minItems=1

locations object[]

minItems=1

parties object[]

minItems=1

responsible-parties assembly_oscal-metadata_responsible-party[]

minItems=1

actions assembly_oscal-metadata_action[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-metadata:location-uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

oscal-poam-oscal-metadata:party-uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

oscal-poam-oscal-metadata:role-id string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

oscal-poam-oscal-metadata:back-matter object

A collection of resources that may be referenced from within the OSCAL document instance.

resources object[]

minItems=1

oscal-poam-oscal-metadata:property object

An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.

name string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

value string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

ns string

A universal resource identifier (URI) formatted according to RFC3986.

format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$

class string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

group string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

remarks field_oscal-metadata_remarks

oscal-poam-oscal-metadata:link object

A reference to a local or remote resource, that has a specific relation to the containing object.

href string required

A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.

format=uri-reference

rel TokenDatatype | enum

Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.

media-type string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

resource-fragment string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

text string

A textual label to associate with the link, which may be used for presentation in a tool.

oscal-poam-oscal-metadata:responsible-party object

A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.

role-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

party-uuids field_oscal-metadata_party-uuid[] required

minItems=1

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-metadata:action object

An action applied by a role within a given party to the content.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

type string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

system string required

A universal resource identifier (URI) formatted according to RFC3986.

format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$

date string

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

responsible-parties assembly_oscal-metadata_responsible-party[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-metadata:responsible-role object

A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.

role-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

party-uuids field_oscal-metadata_party-uuid[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-metadata:hash object

A representation of a cryptographic digest generated over a resource using a specified hash algorithm.

algorithm StringDatatype | enum required

The digest method by which a hash is derived.

value string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

oscal-poam-oscal-metadata:remarks string

Additional commentary about the containing object.

oscal-poam-oscal-metadata:published string

A string representing a point in time with a required timezone.

oscal-poam-oscal-metadata:last-modified string

A string representing a point in time with a required timezone.

oscal-poam-oscal-metadata:version string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

oscal-poam-oscal-metadata:oscal-version string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

oscal-poam-oscal-metadata:email-address

An email address string formatted according to RFC 6531.

oscal-poam-oscal-metadata:telephone-number object

A telephone service number as defined by ITU-T E.164.

number string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

type StringDatatype | enum

Indicates the type of phone number.

oscal-poam-oscal-metadata:address object

A postal address for the location.

type TokenDatatype | enum

Indicates the type of address.

addr-lines field_oscal-metadata_addr-line[]

minItems=1

city string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

state string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

postal-code string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

country string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

oscal-poam-oscal-metadata:addr-line string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

oscal-poam-oscal-metadata:document-id object

A document identifier qualified by an identifier scheme.

identifier string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

scheme URIDatatype | enum

Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.

oscal-poam-oscal-implementation-common:system-component object

A defined component that can be part of an implemented system.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

type StringDatatype | enum required

A category describing the purpose of the component.

title string required

A human readable name for the system component.

description string required

A description of the component, including information about its function.

status object required

Describes the operational status of the system component.

2 nested properties

state required

The operational status.

All of: TokenDatatype string, enum enum

remarks field_oscal-metadata_remarks

purpose string

A summary of the technological or business purpose of the component.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

responsible-roles assembly_oscal-metadata_responsible-role[]

minItems=1

protocols assembly_oscal-implementation-common_protocol[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-implementation-common:protocol object

Information about the protocol used to provide a service.

name string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

title string

A human readable name for the protocol (e.g., Transport Layer Security).

port-ranges assembly_oscal-implementation-common_port-range[]

minItems=1

oscal-poam-oscal-implementation-common:port-range object

Where applicable this is the IPv4 port range on which the service operates.

start

An integer value that is equal to or greater than 0.

All of: IntegerDatatype integer, number number

end

An integer value that is equal to or greater than 0.

All of: IntegerDatatype integer, number number

transport

Indicates the transport type.

All of: TokenDatatype string, enum enum

oscal-poam-oscal-implementation-common:implementation-status object

Indicates the degree to which the a given control is implemented.

state TokenDatatype | enum required

Identifies the implementation status of the control or control objective.

remarks field_oscal-metadata_remarks

oscal-poam-oscal-implementation-common:system-user object

A type of user that interacts with the system based on an associated role.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

title string

A name given to the user, which may be used by a tool for display and navigation.

short-name string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

description string

A summary of the user's purpose within the system.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

role-ids field_oscal-metadata_role-id[]

minItems=1

authorized-privileges assembly_oscal-implementation-common_authorized-privilege[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-implementation-common:authorized-privilege object

Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.

title string required

A human readable name for the privilege.

functions-performed field_oscal-implementation-common_function-performed[] required

minItems=1

description string

A summary of the privilege's purpose within the system.

oscal-poam-oscal-implementation-common:function-performed string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

oscal-poam-oscal-implementation-common:inventory-item object

A single managed inventory item within the system.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

description string required

A summary of the inventory item stating its purpose within the system.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

responsible-parties assembly_oscal-metadata_responsible-party[]

minItems=1

implemented-components object[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-implementation-common:set-parameter object

Identifies the parameter that will be set by the enclosed value.

param-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

values StringDatatype[] required

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-implementation-common:system-id object

A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.

id string required

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

pattern=^\S(.*\S)?$

identifier-type URIDatatype | enum

Identifies the identification system from which the provided identifier was assigned.

oscal-poam-oscal-control-common:part object

An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.

name string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

id string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

ns string

A universal resource identifier (URI) formatted according to RFC3986.

format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$

class string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

title string

An optional name given to the part, which may be used by a tool for display and navigation.

props assembly_oscal-metadata_property[]

minItems=1

prose string

Permits multiple paragraphs, lists, tables etc.

parts assembly_oscal-control-common_part[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

oscal-poam-oscal-control-common:parameter object

Parameters provide a mechanism for the dynamic assignment of value(s) in a control.

id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

class string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

depends-on string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

label string

A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.

usage string

Describes the purpose and use of a parameter.

constraints assembly_oscal-control-common_parameter-constraint[]

minItems=1

guidelines assembly_oscal-control-common_parameter-guideline[]

minItems=1

values field_oscal-control-common_parameter-value[]

minItems=1

select assembly_oscal-control-common_parameter-selection

remarks field_oscal-metadata_remarks

oscal-poam-oscal-control-common:parameter-constraint object

A formal or informal expression of a constraint or test.

description string

A textual summary of the constraint to be applied.

tests object[]

minItems=1

oscal-poam-oscal-control-common:parameter-guideline object

A prose statement that provides a recommendation for the use of a parameter.

prose string required

Prose permits multiple paragraphs, lists, tables etc.

oscal-poam-oscal-control-common:parameter-value string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

oscal-poam-oscal-control-common:parameter-selection object

Presenting a choice among alternatives.

how-many

Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.

All of: TokenDatatype string, enum enum

choice string[]

minItems=1

oscal-poam-oscal-control-common:include-all object

Include all controls from the imported catalog or profile resources.

oscal-poam-oscal-assessment-common:import-ssp object

Used by the assessment plan and POA&M to import information about the system.

href string required

A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.

format=uri-reference

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:local-objective object

A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.

control-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

parts assembly_oscal-control-common_part[] required

minItems=1

description string

A human-readable description of this control objective.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:assessment-method object

A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

part assembly_oscal-assessment-common_assessment-part required

description string

A human-readable description of this assessment method.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:activity object

Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

description string required

A human-readable description of this included activity.

title string

The title for this included activity.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

steps object[]

minItems=1

related-controls assembly_oscal-assessment-common_reviewed-controls

responsible-roles assembly_oscal-metadata_responsible-role[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:task object

Represents a scheduled event or milestone, which may be associated with a series of assessment actions.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

type TokenDatatype | enum required

The type of task.

title string required

The title for this task.

description string

A human-readable description of this task.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

timing object

The timing under which the task is intended to occur.

3 nested properties

on-date object

The task is intended to occur on the specified date.

1 nested properties

date string required

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$

within-date-range object

The task is intended to occur within the specified date range.

2 nested properties

start string required

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$

end string required

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$

at-frequency object

The task is intended to occur at the specified frequency.

2 nested properties

period required

An integer value that is greater than 0.

All of: IntegerDatatype integer, number number

unit required

The unit of time for the period.

All of: StringDatatype string, enum enum

dependencies object[]

minItems=1

tasks assembly_oscal-assessment-common_task[]

minItems=1

associated-activities object[]

minItems=1

subjects assembly_oscal-assessment-common_assessment-subject[]

minItems=1

responsible-roles assembly_oscal-metadata_responsible-role[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:reviewed-controls object

Identifies the controls being assessed and their control objectives.

control-selections object[] required

minItems=1

description string

A human-readable description of control objectives.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

control-objective-selections object[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:select-control-by-id object

Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.

control-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

statement-ids TokenDatatype[]

minItems=1

oscal-poam-oscal-assessment-common:select-objective-by-id object

Used to select a control objective for inclusion/exclusion based on the control objective's identifier.

objective-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

oscal-poam-oscal-assessment-common:assessment-subject-placeholder object

Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

sources object[] required

minItems=1

description string

A human-readable description of intent of this assessment subject placeholder.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:assessment-subject object

Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.

type TokenDatatype | enum required

Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.

description string

A human-readable description of the collection of subjects being included in this assessment.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

include-all assembly_oscal-control-common_include-all

include-subjects assembly_oscal-assessment-common_select-subject-by-id[]

minItems=1

exclude-subjects assembly_oscal-assessment-common_select-subject-by-id[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:select-subject-by-id object

Identifies a set of assessment subjects to include/exclude by UUID.

subject-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

type TokenDatatype | enum required

Used to indicate the type of object pointed to by the uuid-ref within a subject.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:subject-reference object

A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.

subject-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

type TokenDatatype | enum required

Used to indicate the type of object pointed to by the uuid-ref within a subject.

title string

The title or name for the referenced subject.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:assessment-assets object

Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.

assessment-platforms object[] required

minItems=1

components assembly_oscal-implementation-common_system-component[]

minItems=1

oscal-poam-oscal-assessment-common:finding-target object

Captures an assessor's conclusions regarding the degree to which an objective is satisfied.

type required

Identifies the type of the target.

All of: StringDatatype string, enum enum

target-id string required

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

status object required

A determination of if the objective is satisfied or not within a given system.

3 nested properties

state required

An indication as to whether the objective is satisfied or not.

All of: TokenDatatype string, enum enum

reason TokenDatatype | enum

The reason the objective was given it's status.

remarks field_oscal-metadata_remarks

title string

The title for this objective status.

description string

A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

implementation-status assembly_oscal-implementation-common_implementation-status

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:finding object

Describes an individual finding.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

title string required

The title for this finding.

description string required

A human-readable description of this finding.

target assembly_oscal-assessment-common_finding-target required

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

origins assembly_oscal-assessment-common_origin[]

minItems=1

implementation-statement-uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

related-observations object[]

minItems=1

related-risks object[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:observation object

Describes an individual observation.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

description string required

A human-readable description of this assessment observation.

methods StringDatatype | enum[] required

minItems=1

collected string required

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$

title string

The title for this observation.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

types TokenDatatype | enum[]

minItems=1

origins assembly_oscal-assessment-common_origin[]

minItems=1

subjects assembly_oscal-assessment-common_subject-reference[]

minItems=1

relevant-evidence object[]

minItems=1

expires string

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:origin object

Identifies the source of the finding, such as a tool, interviewed person, or activity.

actors assembly_oscal-assessment-common_origin-actor[] required

minItems=1

related-tasks assembly_oscal-assessment-common_related-task[]

minItems=1

oscal-poam-oscal-assessment-common:origin-actor object

The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.

type required

The kind of actor.

All of: TokenDatatype string, enum enum

actor-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

role-id string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

oscal-poam-oscal-assessment-common:related-task object

Identifies an individual task for which the containing object is a consequence of.

task-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

responsible-parties assembly_oscal-metadata_responsible-party[]

minItems=1

subjects assembly_oscal-assessment-common_assessment-subject[]

minItems=1

identified-subject object

Used to detail assessment subjects that were identfied by this task.

2 nested properties

subject-placeholder-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

subjects assembly_oscal-assessment-common_assessment-subject[] required

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:threat-id object

A pointer, by ID, to an externally-defined threat.

system URIDatatype | enum required

Specifies the source of the threat information.

id string required

A universal resource identifier (URI) formatted according to RFC3986.

format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$

href string

A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.

format=uri-reference

oscal-poam-oscal-assessment-common:risk object

An identified risk.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

title string required

The title for this risk.

description string required

A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.

statement string required

An summary of impact for how the risk affects the system.

status field_oscal-assessment-common_risk-status required

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

origins assembly_oscal-assessment-common_origin[]

minItems=1

threat-ids field_oscal-assessment-common_threat-id[]

minItems=1

characterizations assembly_oscal-assessment-common_characterization[]

minItems=1

mitigating-factors object[]

minItems=1

deadline string

A string representing a point in time with a required timezone.

format=date-timepattern=^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$

remediations assembly_oscal-assessment-common_response[]

minItems=1

risk-log object

A log of all risk-related tasks taken.

1 nested properties

entries object[] required

minItems=1

related-observations object[]

minItems=1

oscal-poam-oscal-assessment-common:logged-by object

Used to indicate who created a log entry in what role.

party-uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

role-id string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

oscal-poam-oscal-assessment-common:risk-status TokenDatatype | enum

Describes the status of the associated risk.

oscal-poam-oscal-assessment-common:characterization object

A collection of descriptive data about the containing object from a specific origin.

origin assembly_oscal-assessment-common_origin required

facets object[] required

minItems=1

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

oscal-poam-oscal-assessment-common:response object

Describes either recommended or an actual plan for addressing the risk.

uuid string required

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

lifecycle TokenDatatype | enum required

Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.

title string required

The title for this response activity.

description string required

A human-readable description of this response plan.

props assembly_oscal-metadata_property[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

origins assembly_oscal-assessment-common_origin[]

minItems=1

required-assets object[]

minItems=1

tasks assembly_oscal-assessment-common_task[]

minItems=1

remarks field_oscal-metadata_remarks

oscal-poam-oscal-assessment-common:assessment-part object

A partition of an assessment plan or results or a child of another part.

name TokenDatatype | enum required

A textual label that uniquely identifies the part's semantic type.

uuid string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

pattern=^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$

ns string

A universal resource identifier (URI) formatted according to RFC3986.

format=uripattern=^[a-zA-Z][a-zA-Z0-9+\-.]+:.+$

class string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

pattern=^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$

title string

A name given to the part, which may be used by a tool for display and navigation.

props assembly_oscal-metadata_property[]

minItems=1

prose string

Permits multiple paragraphs, lists, tables etc.

parts assembly_oscal-assessment-common_assessment-part[]

minItems=1

links assembly_oscal-metadata_link[]

minItems=1

Base64Datatype string

Binary data encoded using the Base 64 encoding algorithm as defined by RFC4648.

DateTimeWithTimezoneDatatype string

A string representing a point in time with a required timezone.

EmailAddressDatatype

An email address string formatted according to RFC 6531.

IntegerDatatype integer

A whole number value.

NonNegativeIntegerDatatype

An integer value that is equal to or greater than 0.

PositiveIntegerDatatype

An integer value that is greater than 0.

StringDatatype string

A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ ]+

TokenDatatype string

A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.

URIDatatype string

A universal resource identifier (URI) formatted according to RFC3986.

URIReferenceDatatype string

A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.

UUIDDatatype string

A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.

OSCAL Plan of Action and Milestones (POA&M)

Schema URL

Properties

Definitions